NetIQ to Ship Change Administration Tool

NetIQ will ship a new Windows-based tool next week aimed at simplifying user change administration.

Change Administrator 1.0 provides a more granular level of user rights assignment
than Active Directory alone, according to statements by San Jose, Calif.-based
NetIQ.

"Domain administration of groups on servers has become problematic [keeping
track of] who does what and what they have access to," says Jim McGrath,
NetIQ's senior director for product management.

Change Administrator is designed to enable IT managers to delegate administration
of servers on a role-based model that is both "granular" and "time-based,"
according to company statements. It also provides for so-called "just-in-time"
permissions.

The package helps manage complexity by enabling a "super administrator"
to create "proxy" accounts for lower-level administrators that enable
them to perform specific tasks. Rather than assigning expanded privileges to
the administrators' own native accounts, the proxies provide the necessary
permissions.

"You would keep your regular account [and instead] we will create and
maintain a separate account [and] when you're not using it, we take it
out of use," McGrath says.

That includes time-based credentials. For instance, it may be entirely appropriate
for an administrator to be performing particular tasks in the middle of the
workday but perhaps not in the middle of the night. The idea is to ensure that
unmanaged changes are limited, while not crippling the staff during a crisis.
Additionally, Change Administrator documents who did what in emergency situations
so that postmortem analysis can be performed.

But making providing centralized control of who makes changes and what those
changes are only deals with half of the problem. In NetIQ's model, Change
Administrator becomes the hub through which all administration tasks and details
are handled, making it the logical point at which to draw log data and reports.

It's not surprising, then, that NetIQ has a second tool in development
to provide regulatory and audit compliance tracking and reporting. Change Guardian,
due out later this year, will provide logging and reporting capabilities when
combined with Change Administrator, officials say.

However, Change Administrator does provide reporting capabilities. The package
provides reports on who can access which servers at what times, which servers
those accounts can access, and who made which changes. It also generates reports
tied to specific trouble tickets or change requests.